Active Directory Structure and Group Policy

  • Article

Group Policy implementation is one of the considerations in planning the Active Directory structure for your organization. The basic units of Group Policy are Group Policy objects. These are basic units in the sense that you link (or do not link, as the case might be) an entire Group Policy object at a time. It is not possible to link only a subset of a Group Policy object to a target. Using security groups to filter the scope of Group Policy also has the effect of turning the entire Group Policy object on or off; it does not function on only part of a Group Policy object. (Notwithstanding the fact that the Software Installation and Folder Redirection extensions of Group Policy exploit permissions to tailor the behavior of those particular extensions based on security group membership.)

There are two types of Group Policy objects: local Group Policy objects and non-local Group Policy objects.

note-iconNote

Each Windows 2000–based computer has only one local Group Policy object.

In the rest of this section, all Group Policy objects are non-local unless otherwise specified.

Group Policy objects are stored in a Windows 2000 domain, and their effects are enabled on sites, domains, or organizational units to which they are linked.

  • A Group Policy object linked to a site (using Active Directory Sites and Services) applies to all domains at the site.

  • A Group Policy object applied to a domain applies directly to all users and computers in the domain and by inheritance to all users and computers in organizational units (and in generic Active Directory containers) farther down the Active Directory tree as seen in the Active Directory Users and Computers namespace.

  • A Group Policy object applied to an organizational unit applies directly to all users and computers in the organizational unit and by inheritance to all users and computers in organizational units (and in generic Active Directory containers) farther down the Active Directory tree as seen in the Active Directory Users and Computers namespace.

It is not possible to link a Group Policy object to a generic Active Directory container. (A generic Active Directory container is identifiable by its plain folder icon in the Active Directory Users and Computers console. The icon for an organizational unit is similar, except that a small book is superimposed on the folder.) However, users and computers in generic Active Directory containers do receive policy by inheritance from Group Policy objects linked at a higher level of Active Directory. For example, the Users and Computers containers you see in Active Directory Users and Computers cannot have Group Policy objects linked directly to them, but they do receive domain-linked Group Policy objects by means of inheritance.

The local Group Policy object is applied first. Then site-linked Group Policy objects are applied in administratively specified order, then domain-linked ones in specified order, and lastly organizational unit-linked Group Policy objects beginning at the highest (in Active Directory hierarchy) organizational unit containing the user or computer account and ending with the lowest (closest to the user or computer) organizational unit containing the user or computer. At each organizational unit, any Group Policy objects linked to it are applied in administratively specified order.

The order of application detailed in the previous paragraph (1. Local, 2.: Site, 3. Domain, 4. Organizational Unit) is significant to the architect of Active Directory, because by default, policy applied later overwrites policy applied earlier for each setting where the later applied policy was either Enabled or Disabled . Settings that are Not Configured don't overwrite anything — any Enabled or Disabled setting applied earlier is allowed to persist.

This is the default behavior. Mechanisms exist that let you either force or prevent Group Policy objects from affecting groups of users or computers. The most powerful mechanisms for avoiding the default behavior are the No Override and Enforce Policy Inheritance settings. It is best to minimize the use of these.